Internet of Things Exposures & Enterprise Risk
By Stephanie Snyder Tomlinson, U.S. Cyber Sales Leader and Kevin P. Kalinich, Cyber Global Practice Leader, Aon Risk Solutions [NYSE:AON]
Google founders Larry Page and Sergey Brin.
What is the “Internet of Things”?
A working mother pulls out her mobile device on the train home from work to: (i) turn on the oven to pre-heat dinner; (ii) check the thermostat to ensure it is warm enough when her three daughters arrive home from school; (iii) monitor her dad’s heart device; and (iv) verify the gas level and tire air pressure in her car before the kids’ dance class that night. So long as the transportation logistics, home appliances and utilities work properly, it should be a smooth night. What common element do all of these “things” rely on? The revolutionary Internet of Things (“IoT”) – computer devices that are sensor-equipped and connected via the Internet. Gartner predicts that in 2016 a staggering 5.5 million web-enabled devices will be added each day, with Cisco predicting total IoT devices to rise to over 50 billion by 2020. It is imperative that organizations analyze their IoT exposures and develop risk solutions in a proactive, rather than reactive, manner in order to avoid exposing balance sheets and boards of directors to uncalculated risk.
Identify the Exposures
The IoT phenomenon is unfolding faster than developers can address the accompanying security vulnerabilities and risk management concerns. We are living in a new world in which our “things” can compromise our privacy or even harm us. Few anticipated the privacy, trespass, security, tangible property damage and bodily injury risks from augmented reality, such as Pokemon Go. While telematics in vehicles or home appliances may seem helpful when we need roadside assistance or to diagnose maintenance issues, they can also report our speed, or our diet. On a larger scale, office, manufacturing, utility, supply chain, and transportation systems increasingly rely on “smart” Internet-connected technology.
It’s estimated that 70 percent of the most commonly used devices contain serious vulnerabilities. We recently saw white-hat hackers take control of automobiles via IoT systems and power grids in the Ukraine and Israel be taken down by malicious hackers. It is easy to imagine a murderous hacker disabling such things as a life-sustaining medical device or an aviation system.
Disruptions or exploited vulnerabilities in integrated IoT systems have the potential to cause business interruption, tangible property damage, supply chain shut down, and bodily injury.
In the recently released book, “Lights Out,” Ted Koppel argues that the U.S. is a nation unprepared to survive the aftermath of a cyber attack on critical infrastructure. Each new IoT device represents an additional access point for hackers; essentially broadening the attack surface of any organization. The following are several IoT legal considerations:
Disruptions or exploited vulnerabilities in integrated IoT systems have the potential to cause business interruption, tangible property damage, supply chain shut down, and bodily injury
► Privacy and security regulations (such as FDA IT security guidelines for medical devices)
► Varying country regulations
► Chain of liability
► Ownership of data
► Availability of bandwidth and ‘net neutrality’
► Intellectual Property
► Automated contracts (between two connected machines)
Taking a step back from the doomsday implications of IoT, it should be noted that many IoT products can actually reduce exposures. Research firm IDC predicts IoT will become a $1.46 trillion international market by 2020, up from $700 billion last year. Google paid $3.2 billion for smart thermostat maker Nest. Home automation startups being incubated by Microsoft Ventures carry a number of safety benefits, such as turning off your stove or protecting from water damage. IBM recently announced a $3 billion investment in IoT and is launching a multitude of services with its Watson “smart” products that will make us safer, such as alerting car insurance policyholders of storms before damage occurs.
Analyze Enterprise Risk
While IoT innovations aim to increase efficiency and facilitate data analytics, they also increase organizational risk. From a liability standpoint, there is exposure for organizations involved in the design, production, delivery and servicing of the IoT device that allegedly causes economic loss, bodily injury or tangible property damage. From an organizational expense standpoint, smart offices, factories, and computer-based logistics systems face new business interruption risks. Organizations must review their involvement with IoT and identify related exposures and methods to mitigate the risk. An insurance gap analysis should be conducted to determine coverage under existing policies and the need for enhancements under current policies and/ or standalone cyber insurance:
► What coverage is there under existing property, general liability, crime, Errors and Omissions/Professional Liability insurance policies?
► What gaps are there in current policies?
► Is a cyber insurance policy required?
Develop Risk Solutions
While it is impossible to predict the exact impact of the IoT, it is incumbent upon every organization to understand the risks associated with the IoT, their potential impact, and appropriate risk solutions to address those exposures.
Organizations that choose not to address their cyber risk exposures do so at their own peril. Cyber risk flows through an entire organization, and to not adequately address those risks could result in management being faced with allegations of breach of fiduciary duty, implicating the board of directors. The IoT is a boardroom issue, as cyber risk has the ability to directly impact an organization’s balance sheet.
From a risk transfer perspective, the IoT revolution will force the insurance industry to better clarify where coverage starts and stops under each type of insurance policy. Property and general liability insurers are inconsistent and/or hesitant to cover cyber exposures. Likewise, the cyber insurance market has been slow to embrace affirmative property or general liability coverage for losses arising from a network security breach. The market need is for a combined all-risk insurance policy that combines the actuarial data of property losses with cyber insurance technical expertise, in order to appropriately address the potential breadth, frequency and severity of losses.
As we enter this time of revolutionary change and interconnectivity, the IoT will provide us with the unprecedented ability to connect people and machines. The benefits are enormous, but so are the risks. Organizations must be mindful of both as they integrate smart technology into the workplace and beyond.